Skip to content

fix(cli): ensure Profile has corresponding CLI flags#1124

Open
cubicYYY wants to merge 5 commits into
always-further:mainfrom
cubicYYY:fix/1027-schema-cli-parity
Open

fix(cli): ensure Profile has corresponding CLI flags#1124
cubicYYY wants to merge 5 commits into
always-further:mainfrom
cubicYYY:fix/1027-schema-cli-parity

Conversation

@cubicYYY

@cubicYYY cubicYYY commented Jun 11, 2026

Copy link
Copy Markdown

Linked Issue

Closes #1027

Summary

  • Adds a CI parity check that fails if a new policy field on Profile (or any nested *Config struct) is added without an explicit categorization.
  • Completes the backsweep so the existing schema-vs-flag drift is closed.

The parity check (crates/nono-cli/tests/schema_cli_parity.rs) parses crates/nono-cli/src/profile/mod.rs with syn, walks Profile's type graph by BFS, and requires every reachable field to have one entry in mapping_table() tagged as Flag("<long-name>"), ProfileOnly("reason"), or Deprecated("reason"). Uncategorized fields fail CI as uncategorized policy field: Foo.bar. The CLI side is also syn-parsed (out of cli.rs's #[arg(...)] attributes) so platform-conditional flags don't produce false negatives.

The backsweep adds 7 CLI flags so previously profile-only knobs are reachable per-run:

  • --signal-mode, --process-info-mode, --ipc-mode - security isolation modes (clap ValueEnum-derived from the existing profile enums).
  • --wsl2-proxy-policy - Linux-only; mirrors security.wsl2_proxy_policy.
  • --rollback-exclude-glob - explicit glob-only counterpart to the legacy --rollback-exclude (which auto-routes by shape).
  • --allow-env-var, --deny-env-var - extend environment.allow_vars / environment.deny_vars.

CLI values override profile values for the mode enums; list-typed flags (env vars, rollback globs) extend rather than replace, with dedup.

Documents the convention on the Profile struct doc-comment and docs/cli/development/index.mdx so contributors see it before hitting CI.

Agent Disclosure

Most code in this PR is generated by Claude. Human review is done by myself.

Checklist

  • An issue exists and is linked above
  • All commits are signed-off, using DCO
  • All new code follows the project's coding standards (CLAUDE.md) and is covered by tests
  • Public-facing changes are paired with documentation updates
  • Release note has been added to CHANGELOG.md if needed - not added now (should we?)

Agent Compliance Check

  • I am not prohibited from contributing under this policy
  • An issue already exists
  • I disclosed that I am an agent in the issue discussion.
  • I described my intent and approach in the issue discussion.
  • I reviewed repository coding and security rules for the affected area
  • I provided required attribution for reused or adapted code (no external code reused or adapted)
  • I did not use forbidden patterns such as unwrap/expect (clippy unwrap_used clean; expect() appears only in test code, which is gated by #![allow(clippy::expect_used)] on the parity test file with a justification comment)
  • I used NonoError where required (no new error paths introduced; existing Result propagation preserved)
  • I validated and canonicalized all relevant paths (no new path-handling code; existing canonicalization preserved)
  • This PR matches the approved or disclosed issue scope.

@github-actions

github-actions Bot commented Jun 11, 2026
edited
Loading

Copy link
Copy Markdown
Contributor

PR Review Summary

Size

Metric Value
Lines added +1253
Lines removed -51
Total changed 1304
Classification Large (> 300 lines)

Affected crates

  • crates/nono-cli — CLI changes. Verify argument parsing, flag documentation, and UX behaviour across supported platforms.

Blast radius — Contained

This PR touches: source code

Updated automatically on each push to this PR.

gemini-code-assist[bot]
gemini-code-assist Bot reviewed Jun 11, 2026
View reviewed changes

@gemini-code-assist gemini-code-assist Bot left a comment

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Code Review

This pull request introduces CLI overrides for profile-defined security configurations (such as signal, process info, and IPC modes), environment variable rules, and rollback exclusion patterns, along with a new parity test suite (schema_cli_parity.rs) to ensure all profile fields are correctly mapped to CLI flags. Feedback on the changes includes optimizing string cloning in the rollback exclusion merging logic, replacing unstable let_chains syntax with nested if let statements to ensure stable Rust compatibility, and correcting queue operations in the parity tests to perform a true breadth-first search (BFS) instead of a depth-first search (DFS).

Important

The consumer version of Gemini Code Assist on GitHub is being sunset. Starting June 18, 2026, new organization installations will be blocked, and all code review activity will officially cease on July 17, 2026.
For more details on the timeline and next steps, please review the Help Documentation.

Comment thread crates/nono-cli/src/launch_runtime.rs Outdated
Comment thread crates/nono-cli/tests/schema_cli_parity.rs
Comment thread crates/nono-cli/tests/schema_cli_parity.rs
Comment thread crates/nono-cli/tests/schema_cli_parity.rs Outdated
Comment thread crates/nono-cli/tests/schema_cli_parity.rs Outdated
@cubicYYY cubicYYY changed the title Fix/1027 schema cli parity fix(cli): ensure Profile has corresponding CLI flags Jun 11, 2026
@github-actions github-actions Bot added the bug Something isn't working label Jun 11, 2026
@cubicYYY cubicYYY force-pushed the fix/1027-schema-cli-parity branch from 60e56bb to b941ae9 Compare June 11, 2026 11:03
@cubicYYY cubicYYY force-pushed the fix/1027-schema-cli-parity branch from b941ae9 to 968f869 Compare June 15, 2026 06:15
cubicYYY added 4 commits June 15, 2026 06:16
@cubicYYY
fix: ensure policy-flags parity
d4a74a1 
Signed-off-by: CubicYYY <yyy2015c01@gmail.com>
@cubicYYY
fix: backsweep to add some missing CLI flags of configs, with unit tests
ef0b74e 
Signed-off-by: CubicYYY <yyy2015c01@gmail.com>
@cubicYYY
fix: optimize the patch
829085e 
Signed-off-by: CubicYYY <yyy2015c01@gmail.com>
@cubicYYY
fix: categorize EnvironmentConfig.set_vars after rebase from main
645e058 
PR always-further#1134 added EnvironmentConfig.set_vars on main while this PR was
in flight. The schema_cli_parity test correctly flagged it as
uncategorized after the rebase: exactly the failure mode this check
was built to catch.

Categorized as ProfileOnly: it's a HashMap with shell-style expansion
and main's docstring frames it as an "auditable operator decision",
arguing for profile-only authoring rather than ad-hoc CLI use. A
follow-up PR can add a flag if maintainers want one.

Signed-off-by: CubicYYY <yyy2015c01@gmail.com>
@cubicYYY cubicYYY force-pushed the fix/1027-schema-cli-parity branch from 968f869 to 645e058 Compare June 15, 2026 06:17
@lukehinds lukehinds requested review from SequeI and lukehinds June 15, 2026 15:32
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@lukehinds lukehinds Awaiting requested review from lukehinds
@SequeI SequeI Awaiting requested review from SequeI
1 more reviewer
@gemini-code-assist gemini-code-assist[bot] gemini-code-assist[bot] left review comments
Reviewers whose approvals may not affect merge requirements

At least 1 approving review is required to merge this pull request.

Assignees

No one assigned

Labels

bug Something isn't working nono-cli size/large

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

flags and policy should always have parity

2 participants

@cubicYYY @SequeI